Acme.sh: Add compatability with certbot

@non7top

If there is any useful option that certbot has but acme.sh doesn't have, please feel free to create issue here.

But it's never our goal to keep the compatability with certbot. I really don't like how certbot works, that's why I wrote acme.sh.

Neil I'm curious what those things you don't like about certbot are (besides the huge number of dependencies)

@FernandoMiguel

When I first knew certbot, it wasted my whole weekend to install it on my server, and it's also a big pain to read the doc, the commandline options is not obvious to starters. And there was even not a doc tell me how to start.

When I searched the web, I found everywhere something like:

letsencrypt  certonly  -- .........

Nobody explained how it worked. They just copied and pasted.
and it was also really silly to use the parameter certonly here.

Why was there a certonly ? Does that mean the letsencrypt client can do something else other than issuing a cert ? Imaging I'm a new starter who just heard about letsencrypt, what am I expecting letsencrypt client to do for me? Yes, you know, I just need a cert.

As in my point of view, the parameters/usage of letsencrypt client is designed at the programmer's point of view. They think little about what the end users really want. They had not done enough to make things easy/happy enough for the user.

Almost in every articles/posts that introduced the letsencrypt client, I could see that: the user must install the client step by step, must edit some config files by hand, must know what cronjob is, must write their own cronjob and renew-script to renew certs. They must know this and that, they must do this and that.

It was a big waste of time for the users. It's too expensive. Come on, they just need a cert, right ?

The situation might be better from then to now, but I never read any docs about certbot anymore from then on.

So, I started read acme protocol, and knew that things are dead simple. It should not be as complicated as letsencrypt client made.

Then I started acme.sh, to make thing simple, easy and stupid. To save everybody's time.

i spent a couple of hours this weekend (so latest documentation available) trying to figure out how to do DNS01 with letsencrypt client... gave up

and that's why i keep on using acme.sh.... amazing support, very light install, great documentation, and does the job

@FernandoMiguel

Thanks. Yes, that's what I'd like to see.

Another pain was that the letsencrypt client must run as root, and it upgraded every software it needs on my system !!!!!! It's a crazy behaviors. It probably could kill the system.

It's my goal to save everybody's time. Time is expensive for you, me and evey one.

If it costs more than 1 hours for me to get a 3 months cert, why don't I spend $1 usd to buy a 1 year cert from comodo ?

Sorry about my too many complains.

hey, i'm the one that asked :)
keep up the great work.

Hi, sorry to hijack, but I was wondering how would I go about replacing certbot with acme.sh?

Should I just apt-get remove certbot --purge and then re-issue and re-install my certs with acme.sh? Would the current certificates be replaced with new ones? Is that a problem? (to "re-issue" before 3 months from another program).

Some domains would be the same as before (with certbot), but I have a few subdomains to add to the chain. Love acme.sh and have been using on a few installs, but this one was before I knew about acme.sh.

@tavinus

Yes, you can remove certbot or just forget it.

Just install acme.sh and there would be not problems.

Talking about the "--expand" option in certbot: is there a recommended way to add domains to an existing certificate with acme.sh?

@enzomich
What is the option "--expand" used for ?

@Neilpang To add domains to existing certificates. See e.g. http://stackoverflow.com/questions/38302401/letsencrypt-add-domain-to-existing-certificate

why not use --issue to issue a new one ?

@enzomich

With certbot, according to the stackoverflow page linked above, trying to reissue a certificate for an already existing domain (plus the one to be added) results in an error "Result: error folder test.example.com already exists", so I thought that the same was going to happen with acme.sh .

@enzomich
No, that would not happen in acme.sh

OK thanks, I'll give it a try.

but you have to --force a renewal (which can hit rate limits) when adding domains to an existing cert (=expanding), right?

@bolera Yes